Avatar of IT CAMPER
Flag for United States of America asked on

Issue applying domain group policy (GPO) to a user group

Windows domain GPO not applying to custom user group but working fine when applied to Authenticated users. I made sure under Delegation that the custom user group was configured for both "Read" and "Apply group policy". I tested the GPO with only the custom user group (the GPO setting is user based) and when I forced an update and then checked gpresult, it never showed the GPO applied. Also, the login user I was testing with was added to the custom user group. However, as soon as I added Authenticated Users group to the GPO security filtering, the GPO applied on the next Gpupdate and the GPO setting applied as expected. So I am trying to determine why the GPO is not applying when using a custom user group. It's a security group and the group scope if global - this is a small single domain controller network. Very basic. Thanks for the help!

Group PolicyWindows OS* domain controller

Avatar of undefined
Last Comment

8/22/2022 - Mon

Where is the GPO deployed and to whom (security filter) does it apply?
Where is this custom group? is it in an OU that blocks inheritance?

Use GPMC to run the GPO against the computer/user and it should tell you why it is not applying.

It is impossible to know without access.
are you changing the security filter from authenticated users to this security group?

Please confirm it is a security group and not a distribution one.......

Location of the GPO when it applies and the computer/users/security group to whom you wish this GPO to apply

thanks for the response! I'll evaluate the GPO tonight and get back to you. I'm fairly certain it's something simple.
Lawrence Tse


Please try applying to a local group instead.


Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes

Figured it out. Well Microsoft pointed out the issue to me. I went to remove Authenticated Users from the security filter and received a popup that GP requires each computer account to have permission to read GPO data in order to process user group settings. I did not remember that being the case in earlier versions of Server but maybe so as it's been a bit since I setup new GPOs. So I had to simply add Authenticated Users with read only permissions and then setup the custom security group I had created to apply the policy. It's now working perfectly. Thank you both for the feedback!

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question